Consensus metrics for information security

The Center for Internet Security (CIS) announced the public release of the industry’s first consensus metrics for information security. The metrics are user-originated, unambiguous definitions for security professionals to measure some of the most important aspects of the information security status of an enterprise.

Used on a repeatable basis, organizations can trend the results of security processes and decisions to better evaluate the impact of their programs and adjust their efforts – a feedback loop that enables continuous improvement of outcomes from security investments.

Widespread adoption of the consensus metrics can enable cross-organization benchmarking, creating a mechanism for enterprises to learn from one another and, ultimately, drive trends in security incidents downward.

The initial set of metrics is comprised of 20 definitions representing a balanced combination of processes and outcomes across six business functions: Incident Management, Vulnerability Management, Patch Management, Application Security, Configuration Management and Finance.

Security professionals are under intense pressure to justify their program expenses. But the lack of widely accepted and unambiguous metrics for decision support causes organizations to struggle in making cost-effective security investment decisions. “Now that they are available, we recommend organizations start by picking a few outcome-based consensus security metrics that can be consistently measured with the same frequency and rigor as public financial results,” said Steven Piliero, Chief Security Officer, the Center for Internet Security.